Bugtraq mailing list archives
Re: Re: Vulnerability in CB Captcha for Joomla and Mambo
From: none () gmail com
Date: Mon, 19 Apr 2010 17:38:20 -0600
I am 100% cretin that this is a vulnerability. The exact problem is "Client Side Trust" in that you are expecting the client to keep its state over a security system (your captcha). This is exploitable, a bot can just grab a new session with each request. You should be using a sql database to keep track of offenders based on their $_SERVER['REMOTE_ADDR'], and nothing else. Further more if you build security systems you MUST be responsible for when they end up on bugtraq.
Current thread:
- Vulnerability in CB Captcha for Joomla and Mambo MustLive (Apr 15)
- Re: Vulnerability in CB Captcha for Joomla and Mambo Susan Bradley (Apr 16)
- Re: Vulnerability in CB Captcha for Joomla and Mambo James Martin (Apr 19)
- Re: Vulnerability in CB Captcha for Joomla and Mambo Susan Bradley (Apr 19)
- Re: Vulnerability in CB Captcha for Joomla and Mambo Matteo Valenza (Apr 19)
- Re: Vulnerability in CB Captcha for Joomla and Mambo MustLive (Apr 19)
- Re: Vulnerability in CB Captcha for Joomla and Mambo James Martin (Apr 19)
- <Possible follow-ups>
- Re: Vulnerability in CB Captcha for Joomla and Mambo nant (Apr 16)
- Re: Vulnerability in CB Captcha for Joomla and Mambo nant (Apr 19)
- Re: Re: Vulnerability in CB Captcha for Joomla and Mambo none (Apr 20)
- Re: Vulnerability in CB Captcha for Joomla and Mambo MustLive (Apr 28)
- Re: Vulnerability in CB Captcha for Joomla and Mambo Susan Bradley (Apr 16)